ISACA’s May 2025 article, "Five Ways that IT Auditors Can Put AI to Good Use," cuts through the hype by focusing on where AI can genuinely improve audit execution: smarter risk analysis, faster evidence collection, more comprehensive controls testing, continuous assurance, and automation of routine audit activities. Crucially, it also stresses that auditors must balance AI capability with sound governance, clear objectives, and audit standards alignment, a message that resonates strongly for ITGC and SOX-style programmes.
1) Risk analysis thats broader, and earlier
ISACA positions AI-driven predictive analytics and process mining as a way to move beyond manual, interview heavy risk assessments toward systematic analysis of operational and financial data. The practical win for IT audit is earlier insight: emerging patterns (fraud indicators, outage precursors, control breakdown trends) can shape the plan before fieldwork begins.
ITGC implication - if AI is influencing audit scoping, ensure inputs are governed (data lineage, completeness, and access restrictions) so you’re not "optimising" around flawed data.
2) Automated evidence collection, done the audit ready way
ISACA highlights AI/NLP approaches that can extract and categorise evidence from logs, transactions, emails, invoices, and policy documentation, reducing time and human error.
Audit ready guardrail: automation must not weaken evidence quality. Define standards for what "good evidence" looks like (timestamped, attributable, reproducible, and traceable to a system of record). If evidence is AI-curated, document the extraction logic and validation checks.
3) Intelligent controls testing beyond sampling
The article notes that AI can test "whole populations" and flag anomalies or exceptions in near real time, including process mining across end-to-end workflows (for example, procurement).
SOX/ITGC angle: population testing is powerful, but it increases scrutiny on the reliability of the underlying reports, configurations, and access controls. If the AI flags exceptions, be ready to show how the test was designed, what data was used, and how false positives are handled.
4) Continuous assurance that actually reduces time-to-risk
ISACA describes continuous auditing/control monitoring accelerated by AI—live alerts on deviations from thresholds, prompting rapid investigation and remediation. ISACA
How to operationalise it: don’t start by “monitoring everything.” Start with a handful of controls tied to critical risks (privileged access changes, key interface failures, high-risk journal activity, or emergency change patterns). Define ownership and response SLAs so monitoring doesn’t become noise.
5) Automation that improves stakeholder experience
ISACA's examples include NLP chatbots for audit process guidance and status updates, and even automating routine meeting components.
Governance tip: apply least privilege access and clear content controls, especially if the tool can surface sensitive audit issues, recommendation status, or KPI data.
Bringing it together: AI is a multiplier, not a substitute
ISACA’s closing point is the one many teams miss: AI succeeds in audit when it is anchored to governance and standards (the article references COBIT and the IIA’s IPPF as reminders to stay current and disciplined).
The professional takeaway for 2025 planning is simple: treat AI enablement like any other audit transformation, define objectives, validate inputs, document methods, and reinforce the ITGC foundations that make results defensible. If your audit function can do that, AI won’t just speed up delivery; it will raise assurance quality and sharpen technology risk insight.
